Chinese APT Groups Share 'Showboat' Linux Backdoor in Central Asia Telco Espionage Campaign
Chinese state-aligned hackers have been using a Linux backdoor called 'Showboat' to spy on telecommunications providers in Central Asia, with evidence suggesting the malware is shared among multiple APT groups.
Chinese state-aligned hackers have been conducting a long-running espionage campaign against telecommunications providers in Central Asia using a newly discovered Linux post-exploitation framework called 'Showboat,' also known as 'kworker.' Researchers at Black Lotus Labs observed multiple clusters of Showboat activity targeting diverse victims, including an internet service provider in Afghanistan and an unknown IP in the disputed Donbas region of eastern Ukraine, suggesting the malware is being traded among Chinese advanced persistent threat (APT) groups.
The malware, first observed in 2019, is used by at least one APT group identified as Calypso (also known as Red Lamassu), according to analysis from PricewaterhouseCoopers (PwC). Calypso is a lesser-discussed Chinese espionage group that operates primarily in regions where Western cybersecurity companies have less visibility, including Afghanistan, Kazakhstan, Turkey, and India. The group uses Showboat alongside a Windows backdoor of similar sophistication called 'JFMBackdoor,' allowing it to tailor its toolset to the target environment.
Showboat's most notable capability is its ability to scan for and infect devices on a local area network that are not directly connected to the public internet. 'If you do happen to find this in your network, there's probably a whole lot of other bad stuff in the network, and you're about to have a very long weekend,' said Danny Adamitis, principal information security engineer at Black Lotus Labs. Despite its utility, Showboat is not considered a top-tier tool compared to China's most advanced telco malware like BPFdoor, which can conceal command-and-control traffic in HTTPS requests and ICMP pings.
What makes Showboat particularly concerning is its stealth. Evidence suggests the malware has been active since at least mid-2022, yet by the time researchers analyzed it this year, it registered zero detections on VirusTotal. 'You don't necessarily always have to write your backdoors exclusively in assembly and do a weird matching packet thing over ICMP,' Adamitis noted. 'It appears as though they're still having a moderate degree of success with something that is a little bit more run of the mill.'
Black Lotus Labs tracked multiple, apparently separate Chinese threat clusters passing Showboat around without committing to long, high-value campaigns. One cluster connected to IP addresses in the US and the Donbas region, while another deployed it against organizations in countries with less mature cybersecurity, including an ISP in Afghanistan and unnamed victims in Azerbaijan and the Middle East. This pattern suggests the malware is being tested in smaller markets before being deployed against more serious targets.
'What China likes to do is they'll designate certain parts of the world as kind of a laboratory,' said Black Lotus Labs researcher Ryan English. 'They'll test malware against perfectly updated virtual systems, then they'll bring it out into the real world in a small market test. Does this work against that bank in Africa? Does this work against that telco in Vietnam? And if it does, they're feeling more confident to bring it out to more serious targets.'
The discovery of Showboat highlights the persistent threat posed by Chinese state-sponsored cyber espionage against telecommunications infrastructure, which often runs on Unix-based systems. The sharing of tools among multiple APT groups complicates attribution and defense, as organizations may face attacks from different threat actors using the same malware. The campaign underscores the importance of monitoring for even seemingly unsophisticated backdoors, as their low detection rates can enable long-term access and data theft.
The campaign has now been tied to the Calypso (Red Lamassu) group and expanded to include a Windows implant called JFMBackdoor alongside the previously reported Showboat Linux backdoor. Researchers at Lumen's Black Lotus Labs and PwC Threat Intelligence detail that JFMBackdoor provides full-featured espionage capabilities including reverse shell access, TCP proxying for lateral movement, and screenshot capture. The operation has been active since at least mid-2022 and targets telecom providers across Asia Pacific and the Middle East, with infrastructure analysis suggesting the tooling is shared across multiple China-aligned threat groups.
Lumen Technologies' Black Lotus Labs has now publicly documented the Showboat malware, revealing it has been active since at least mid-2022 against a Middle Eastern telecom provider. The modular Linux backdoor functions as a SOCKS5 proxy, enabling attackers to spawn remote shells and transfer files while maintaining persistent access. This disclosure adds technical depth to the previously reported Central Asia campaign, confirming the malware's continued use against critical infrastructure in the region.